Regulation of Investigatory Powers (Monetary Penalty Notices and Consents for Interceptions) Regulations 2011

Tuesday 17th May 2011

(13 years, 6 months ago)

Grand Committee
Read Hansard Text Read Debate Ministerial Extracts
Considered in Grand Committee
17:17
Moved by
Baroness Verma Portrait Baroness Verma
- Hansard - - - Excerpts



That the Grand Committee do report to the House that it has considered the Regulation of Investigatory Powers (Monetary Penalty Notices and Consents for Interceptions) Regulations 2011.

Relevant documents: 20th Report from the Joint Committee on Statutory Instruments.

Baroness Verma Portrait Baroness Verma
- Hansard - - - Excerpts

My Lords, the Government are pleased to bring forward these regulations which, through amendments to the Regulation of Investigatory Powers Act 2000, will provide additional protection for the users of electronic communications. The regulations address concerns expressed by the European Commission that the UK had failed adequately to transpose EU law requirements concerning the confidentiality of electronic communications, specifically concerning the interception of communications.

RIPA provides that interception of communications can be lawfully undertaken either in accordance with a warrant signed by the Secretary of State or, in other specified circumstances, without a warrant. The changes brought about by these regulations will impact on interception without a warrant.

Communications service providers may lawfully and legitimately intercept communications when it is necessary for them to do so—for example, in order to manage their networks. Where businesses choose to carry out interception to provide value-added services, an activity that is carried out at the discretion of service providers, RIPA requires the consent of both the sender and the recipient of the communications that will be intercepted. RIPA also provides for criminal sanctions against the intended, unlawful interception of communications.

However, to address deficiencies in the statutory regime identified by the European Commission, these regulations amend RIPA in two significant respects. First, they create a civil sanction for the unlawful interception of electronic communications that does not constitute an offence under Section 1 of RIPA. In other words, we are establishing a sanction for unintentional and unlawful interception of electronic communications. Fines of up to £50,000 can be imposed, together with a requirement that activity that has been determined to be unlawful under these regulations must stop. Secondly, the regulations clarify the nature of the consent that must be given by a party consenting to the interception of a communication in order to render that interception lawful. Reasonable grounds for believing that consent has been obtained will no longer be sufficient.

Under the regulations, the administration of the new civil sanction will be undertaken by the Interception of Communications Commissioner, whose expertise and independence will ensure that the new requirements are rigorously and fairly applied. He will be able to draw on technical assistance from Ofcom as and when required.

The regulations also provide for a comprehensive appeals process to the first tier tribunal. This will deal with appeals against the imposition of either monetary penalties or a requirement to stop an activity that the commissioner has determined is unlawful. The regulations reinforce and clarify the statutory regime under which interception of communications can be carried out lawfully and with proper respect for a person’s right to a private life. When interception is carried out unlawfully, appropriate penalties will be imposed. The regulations address the two main concerns raised during the consultation on these issues with communications service providers, civil liberties groups and others. They provide for an appropriate maximum monetary penalty for the new civil sanction and ensure that the scope of the sanction is sufficiently broad to cover all instances of relevant unlawful interception.

We expect any business impact on communications service providers to be minimal. The regulations will not stop activities that providers wish to undertake—for example, providing value-added services to their customers. However, when such activity amounts to the interception of communications, the regulations strengthen the requirement that the interception must be consensual and that there must be evidence of the consent of those affected. This will provide welcome reassurance to customers that their privacy is being properly respected, together with greater clarity to the industry on how to ensure that its activities are lawful.

We have worked constructively with the European Commission to ensure that its concerns have been addressed. The regulations will provide confidence that interception of communications is in all circumstances carried out lawfully and with due respect for fundamental rights. Where such respect is not observed and interception is unlawful, appropriate penalties can be imposed. I commend the regulations to the Committee.

Lord Rosser Portrait Lord Rosser
- Hansard - - - Excerpts

My Lords, first I thank the Minister for explaining in detail the regulations and their purpose. The main reason for this instrument, and for the stronger wording and stiffer penalties that it provides, appears to be the desire to meet the concerns of the European Commission that the United Kingdom has failed to incorporate properly into national law the European Union's privacy and electronic communications directive. It has been claimed that concerns were prompted by complaints received by the Commission from BT customers after it conducted unannounced, targeted advert trials through a software company that used its technology to intercept and monitor the web activity of BT customers to match adverts to the interests of users.

The Crown Prosecution Service recently decided not to proceed with action against BT and the software company as it did not consider that there was enough evidence to convict. However, last September the Commission referred the United Kingdom to the European Court of Justice, citing concerns that our laws did not adequately protect against intrusion into personal privacy. The concerns were that we had not created a sanction for all unlawful interception, only for intentional interception; that we had not created an independent authority responsible for the supervision of all interception activities; and that we had wrongly made it lawful to intercept a communication where the interceptor had a reasonable belief in the other party's consent to the interception.

On the basis of what the Minister said, the Government acknowledged the first and third points, but not the second on the independent authority. Perhaps the Minister will comment on that. Perhaps she could also say whether the Government regard the provisions in this regulation are likely to bring to an end any proceedings at the European Court of Justice.

The Government proposed amendments to the Regulation of Investigatory Powers Act last November, and the outcome of the consultation showed strong support among the 39 respondents for the adoption of what were described as “unambiguous measures”, making it clear that users have to grant consent before companies can intrude on their communications, and that it should no longer be sufficient to maintain that including relevant information within the general terms and conditions of privacy policies would allow for a sufficient expression of consent. We note that guidance will be provided by the office of the Interception of Communications Commissioner and we understand the reasons for this statutory instrument. I also take it from the words used by the Minister that the Government are perfectly happy to proceed with this revision of the Act. They do not regard it as an example of what they would describe as unnecessary bureaucracy and regulation, and they do not regard themselves as having to do this simply because the European Commission has told them they ought to do it. I had the impression from what the noble Baroness said that the Government themselves believe that this is the appropriate action to take. I would be grateful if she would confirm what I believe she said in her introductory comments.

I conclude by asking when the guidance will be provided by the office of the Interception of Communications Commissioner. Will she also confirm that the anticipated additional workload and costs on the public purse is effectively nil?

Lord Shipley Portrait Lord Shipley
- Hansard - - - Excerpts

My Lords, I, too, thank my noble friend for proposing this statutory instrument. I do so because it strengthens the rights of the individual and is therefore most welcome. However, it is not clear why the privacy directive produced in 2003 was not put in place correctly at the time. It is now some eight years since that occurred. If the Minister is in a position to say a little more about why it has taken so long to put this right, that would be welcome.

Two of the three issues raised by the European Commission have now been addressed. Those are, first, the introduction of unintentional as well as intentional interception; and, secondly, the requirement for positive consent by an individual for interception. But a question remains around the role of the independent authority. I would like to be clear about this because the European Commission raised three concerns, the second of which was that:

“The UK had failed to create an independent authority responsible for the supervision of all interception activities as required by Article 28 of the Data Protection Directive”.

The Explanatory Notes to the regulations state simply that:

“The Government has not conceded the alleged defective transposition [from the directive] identified”.

It is not clear to me quite why the Government have not conceded that.

That takes me on to the issue of the Information Commissioner, as distinct from the Interception of Communications Commissioner. The office of the Information Commissioner submitted a lengthy response to the consultation to this RIPA regulation, from which I will quote from paragraph 1.5:

“If personal data is intercepted unlawfully under section 1(1) of RIPA this may also constitute a breach of the first data protection principle. It will be important therefore to draft the legislation in a way which allows the ICO to work with the IoCC once it has been established if an interception is unintentionally unlawful”.

The question is this: is the Office of the Information Commissioner satisfied with the result of the consultation and the statutory instrument?

I have two final points on which I would appreciate guidance from the Minister. First, are we clear on how consent will be given to the monitoring of communications? In other words, how the opt-in is taken by an individual is extremely important. Secondly, how soon might we review this statutory instrument? A year or two from now, will there be a further review to assess whether what we have proposed in meeting the European directive has been achieved?

17:30
Baroness Verma Portrait Baroness Verma
- Hansard - - - Excerpts

I am grateful to noble Lords for their thoughtful consideration of and warm welcome for the regulations. The regulations will provide additional protection by ensuring that users consent to the interception of their communications if obtained in circumstances where such consent is required. I will elaborate a little further. A new sanction for the unintentional unlawful interception of electronic communications will provide an important and additional reassurance to users that their privacy will be respected.

I will try to respond to some of the questions that noble Lords have asked. The noble Lord, Lord Rosser, asked if we were forced by the EU to take on this extra instrument to protect users. We agree that we had to correct the transposition of the privacy and data protection directives in two respects. We have welcomed the opportunity to be able to provide members of the public with that additional protection.

The noble Lord asked when guidance would be produced. The Interception Commissioner is producing guidance, and we understand that it will be ready in approximately three weeks’ time.

The noble Lord asked why we did not accept that Article 28 of the data protection directive required us to establish an independent supervisory body to deal with unlawful interception. We are confident that the Interception Commissioner’s new role will provide oversight of unlawful interception and—excuse me, I am trying to read my official’s writing; I told them to write big because I cannot see—that this will satisfy the Commission.

I thank my noble friend Lord Shipley for giving me prior notice of his questions. He asked why the regulations had taken so long. It is because they are complex and we wanted to make sure that they fulfilled the transposition of the EU directives correctly. Furthermore, not only were we in discussion with the European Commission, we carried out a consultation to ensure that we listened to parties likely to be affected by these regulations.

Noble Lords asked whether the Information Commissioner was happy with the regulations and the consultation. He concluded in his response to the consultation that he recognised the need to make these changes to the legislation and welcomed the proposed amendments. He added:

“It is hoped these will provide some much needed clarification of the nature of consent required for lawful interceptions”.

Noble Lords should be assured that the Information Commissioner is very much satisfied and on side with the regulations and the powers that they undertake to ensure that the protection of users is at the forefront of what we are trying to achieve.

What form of consent was required by users? We have deleted the reference in RIPA to reasonable grounds for believing that users’ consent has been obtained. It will now be necessary for CSPs to satisfy themselves that they have required consent. Therefore, a greater onus is on them to ensure that they have met all the necessary safeguards to ensure that they are not breaking the law. The EU privacy directive requires that consent should be freely given, specific and informed.

The noble Lord, Lord Rosser, asked: what are the additional costs to the commissioner’s office? They are likely to be minimal and, in the first instance, we do not expect there to be any requirement for additional resources.

Noble Lords asked whether I can confirm that infraction issues have been resolved to the satisfaction of the Commission. The Commission referred the UK to the European Court in September 2010. We have been in dialogue with the Commission to resolve those matters, and we believe that we have done all that is required to ensure that the effective transposition of the relevant EU directives has taken place.

If I have failed to answer noble Lords’ questions, because this is a hugely technical issue, I turn to my officials while I promise that we will write to noble Lords, but the regulations will ensure that we responsibly meet our obligations under EU law. I thank noble Lords for their warm words about the regulations, and I put on record my appreciation to my officials—who let me down slightly at the last minute with their small writing—who have shown me great patience and skill in helping me to navigate incredibly difficult, complex and technical details. I commend the Motion.

Motion agreed.
Committee adjourned at 5.37 pm.